I have a client that is very concerned about security and wants to know what each decode is analyzing. Is there a white paper or document that details what each decode is looking at to make sure that no confidential information is showing?
As usual - it depends
As the purpose of a decode is (as the name say) to decode traffic, anything in the packets can be "seen".
On the other hand anything can be obscured or selected to not be decoded - for example Masking of Sensitive HTTP Information
If you search at the top of this page for "sensitive informaiton" and you will get more examples.
Yes Ulf is absolutely correct. Also, for analyzers such as Oracle, SQL, DB2, we can mask out sensitive query info in the query using the '?' character or just cut the queries before certain keywords.